On Tue, Jun 9, 2009 at 9:38 AM, Tyler Close<tyler.close@gmail.com> wrote:
> On Tue, Jun 9, 2009 at 9:29 AM, Adam Barth<w3c@adambarth.com> wrote:
>> Â Isn't the whole
>> point of this feature to be able to distinguish guest and non-guest?
>
> So requests from XMLHttpRequest have an Origin header, and requests
> from GuestXMLHttpRequest don't. The server should treat requests
> coming from GuestXMLHttpRequest as bits arriving from an unknown
> client (ie: a "guest"), and so only authorize them based on
> information explicitly included in the request.
Given an HTTP request, what algorithm should the server use to
determine whether the request was generated by GuestXMLHttpRequest?
Adam